Virtualization in digital substations is a rising trend in the power sector, opening up interesting research avenues. The virtualization of intelligent electronic devices (IEDs) is thought to enable more flexible and agile cybersecurity software updates and patching processes while seamlessly integrating with current physical IEDs. However, no studies have yet considered a general cybersecurity assessment for such novel hybrid systems. To fill this gap, a systematic cybersecurity assessment of a digital substation composed of hybrid (virtual and physical) IEDs is presented in this paper. A testbed was developed to assess the different attack vectors with a focus on targeting virtual machines (resource exhaustion) and injection attacks on IEC 61850-compliant communication streams. A hybrid protection selectivity use case was successfully demonstrated with multiple targeted cyber attacks on the testbed where the non-attacked IED successfully cleared the grid fault. The attacks’ impacts ranged from minor to major effects on the IEDs’ tripping signals (and eventually circuit breaker actions) including forced signal delays, signal latching, and signal drops. The results of this study highlight the importance of providing a proper cybersecurity by design strategy for integrating hybrid substation systems with virtualization technologies.

Digitalization is paving the way toward enhanced power grid operational capabilities and intelligence. The increased digitalization, however, also implies a greater risk of cyber vulnerabilities and threats. Therefore, various power systems facets such as transmission and distribution systems, digital substations, control centers, and wide-area communication networks are vulnerable to cyber-attacks. The most notable cyber-attacks on power grids are the twin attacks on the Ukrainian power grid in 2015 and 2016. These incidents clearly highlighted that cyber-attacks on power grids are an imminent threat that needs to be addressed. Keeping this in mind, this chapter provides essential knowledge of cyber-attack mitigation for cyber-physical power systems, i.e., secure communication protocols for operational technologies, penetration testing using cyber ranges and cyber-physical co-simulation, security controls, and intrusion detection and prevention systems. Among the wide-scope mitigation, artificial intelligence is highlighted as an emerging solution. This chapter presents how hybrid deep learning based on graph convolutional long short-term memory is used for anomaly detection in power system operational technology (OT) networks. Unlike traditional signature and supervised learning-based intrusion detection, the hybrid deep learning anomaly detection utilizes the OT traffic throughput. It takes advantage of the OT traffic’s deterministic and homogenous characteristics to provide a robust and flexible anomaly detection for a wide scope of cyber-attacks. The traffic anomalies are incorporated into an attack graph that aids power system operators identify and localize anomalies of active attacks on power systems in near real time. Cyber-attack case studies and cyber-physical co-simulation results are provided to demonstrate the efficiency of hybrid deep learning for anomaly detection.

The Digital Twins (DT) have emerged as the technology that provides capabilities to simulate and analyze cyber-physical systems’ behaviors using digital replicas. This is achieved through high-fidelity digital models, bi-directional communication and (near) real-time data exchange between physical real-world systems and DTs. Despite its capabilities of facilitating real-time monitoring, optimization, and predicting system performance, effectively leveraging DT for power system applications requires integrating data from heterogeneous sources and addressing various data related aspects. These include data modeling, exchange and interoperability. One promising concept to address these aspects is that of data federation which promotes interoperability, allowing DTs to operate autonomously, yet interact seamlessly. While various studies in literature have addressed DT applications, technologies, and challenges, a comprehensive review on the data federation aspects within power systems still needs to be investigated. This research seeks to bridge this gap by providing an in-depth review of DT practices in academia and industry, functional and non-functional requirements, and enabling technologies, with emphasis on data federation. Its role in enhancing system-wide interoperability in the power system, along with associated challenges are summarized and discussed.

As a part of energy transition, the shift from internal combustion engines (ICEs) to electric vehicles (EVs) has accelerated the development of the EV charging infrastructure (EVCI). EVCI rely heavily on information and communication technologies (ICTs) and the Internet of Things (IoT). As a result, the susceptibility to cyber attacks increases. However, although EVCI are strongly intertwined with cyber-physical power systems (CPPSs), the consequences of such a cyber attack on the power grid are not widely researched. In this paper, we present a comprehensive cyber-physical system architecture of the EV charging infrastructure based on the industry practice in The Netherlands, which is applicable to European distribution systems. We present a survey of work on EVCI cyber security and CPPS resilience. We combine unique industrial insights with the academic state-of-the-art. We show that although cyber security of EVCI is researched, the state-of-the-art inadequately covers the consequences for CPPSs, especially distribution networks. We survey the current work on CPPS resilience and conclude that while cyber attacks are often recognized as high impact low probability (HILP) disturbances of CPPSs, the resilience-related research on cyber attacks on EVCI is lacking. Therefore, we present a novel method to model the stochastic EV charging behaviour based on probability density functions (PDFs). We validate the method using PowerFactory models of distribution networks supplied by a Dutch distribution system operator (DSO). We demonstrate the effects of cyber attacks on EVCI on distribution networks voltages. Under the investigated operational scenario, the impact is not significant. However the results do underline the importance of researching cyber attacks on EVCI from a CPPS resilience perspective. Research into future scenarios of energy transition is essential for future resilient operation of power grids.

Power grids are undergoing a fast-paced process of digitalization for enhanced monitoring and control capabilities and grid intelligence. However, the increased integration of digital technologies, such as the next generation of operational technologies (OTs) and digital substations, implies a new risk as information technology (IT)-OT systems are vulnerable to cyberattacks. Furthermore, the combination of heterogeneous, co-existing smart and legacy technologies generates significant vulnerabilities and security challenges. Examples of cybersecurity incidents related to power grids already exist around the world. On December 23, 2015, cyberattacks were conducted on the power grid in Ukraine that resulted in power outages, which affected 225,000 customers. More sophisticated cyberattacks on the Ukrainian power grid followed on December 17, 2016, resulting in a power outage in the distribution network where 200 MW of load was unsupplied. The complexity of cyberattacks on power systems is likely to increase. This chapter provides the state-of-the-art and essential knowledge of threats and cyberattacks on power systems. This chapter reviews major cyberattacks on power grids and industrial control systems. A detailed taxonomy of cyberattacks is provided. Power grid vulnerability to six main types of cyberattacks is discussed, that is, phishing, malware, network-based attacks, man-in-the-middle attacks, host-based attacks, and denial of service. The impact of cyberattacks on grid operation is analyzed in terms of loss of load, cascading effects, and equipment damage. A case study of a cyberattack scenario and simulation results are provided.

Cyber security risks are emerging in Cyber-Physical power Systems (CPS) due to the increasing integration of cyber and physical infrastructures. Critical component identification is a crucial task for the mitigation and prevention of catastrophic blackouts. In this paper, we propose a novel method using graph data mining for critical CPS components identification named GraphCCI. First, it defines two categories of component correlations to reveal the cascading features of CPS. GraphCCI maps cascading failure datasets under time-varying operational states into weighted cascading graphs and constructs a graph database for graph data mining. By adopting graph data mining techniques, frequent subgraphs are identified to construct the Cascading Characteristics Graph (CC-Graph). Finally, the Node Criticality Index (NC-Index) is proposed to quantify the criticality of each CPS component. The experimental results on the IEEE 39-bus system verify the effectiveness of the proposed method and present an in-depth analysis of the CPS cascading features.

Synthetic networks aim to generate realistic projections of real-world networks while concealing the actual system information. Researchers have mainly explored methods to create synthetic power systems. However, with the rapid power grid digitalization, new methods are needed for synthetic communication networks of cyber–physical power systems (CPPS). In this article, we propose a two-stage generative model for generating synthetic communication topologies of large-scale CPPS based on the existing power grids. It reproduces the existing communication network design process and is capable of generating statistically realistic networks. The proposed method is implemented to create a realistic, large-scale synthetic CPPS for the interconnected power grids in continental Europe. The method is validated by comparing the generated communication network with 18 realistic communication network topologies with different system sizes. The experimental results validate the scalability and effectiveness of the generative model.

The increasing risk of cyber-physical attacks (CPAs) on power infrastructure has led to need for reliable detection technologies. As the landscape of cyber threats evolves, it becomes imperative to continually update and enhance attack detection techniques. This research investigates the formulation of detection algorithm, via combination of State Partition Particle Filter (SP-PF) theories for power system security. The proposed approach applies intelligent partitioning of the state space so as to be accurately represented with fewer particles. This reduction in computational demand enhances the algorithm’s efficiency, making it more practical for real-time applications. The detection algorithm based on SP-PF is tested against switching attacks (SAs) launched on the governor and excitation systems associated with the generator. The RTDS platform is utilized for conducting real-time simulations of IEEE 9-bus power network in order to demonstrate the efficacy of proposed SP-PF based detection SA in real-time.

High Voltage Direct Current (HVDC) technology is one of the key enablers of the energy transition, especially for offshore wind energy systems. While extensive research on cyber security of High Voltage Alternating Current (HVAC) systems has been conducted, limited research exists on cyber security aspects of HVDC systems. These systems exhibit unique attributes, in comparison to HVAC systems, such as longer transmission line distances and increased volume of data samples for wide-area monitoring, control, and protection applications. These factors lead to a higher vulnerability of HVDC systems to cyber attacks. Existing state-of-the-art HVDC surveys, however, are primarily focused on HVDC physical components and exclude cyber security elements. Therefore, this paper presents the first detailed survey on the cyber security of HVDC Cyber-Physical Systems (CPS). We present a comprehensive review of the state-of-the-art HVDC systems, with a special focus on cyber threats and vulnerabilities, defense and mitigation strategies, and testbeds. Based on the review and analysis, insights and recommendations on future research directions to address the research gaps in this field of study are provided. Future research on cyber security for HVDC systems should prioritize the integration of cyber and physical system data and focus on early-stage detection to mitigate the potentially severe impacts of cyber attacks on HVDC grids.

Power systems are undergoing rapid digitalization. This introduces new vulnerabilities and cyber threats in future Cyber-Physical Power Systems (CPPS). Some of the most notable incidents include the cyber attacks on the power grid in Ukraine in 2015, 2016, and 2022, which employed Advanced Persistent Threat (APT) strategies that took several months to reach their objectives and caused power outages. This highlights the urgent need for an in-depth analysis of APTs on CPPS. However, existing frameworks for analyzing cyber attacks, i.e., MITRE ATT&CK ICS and Cyber Kill Chain, have limitations in comprehensively analyzing APTs in CPPS environments. To address this gap, we propose a novel Advanced Cyber-Physical Power System (ACPPS) kill chain framework. The ACPPS kill chain identifies the APT characteristics that are unique to power systems. It defines and examines the cyber-physical APT stages spanning from the initial phases of infiltration to cascading failures and a power system blackout. The proposed ACPPS kill chain is validated with real-world APT attacks on the power grid in Ukraine in 2015 and 2016, and cyber-physical simulations.

Cyber actors can target the unsecured IEC 61850 protocols in digital substations to open circuit breakers and affect the power system operation. Thus, system operators must detect cyber-physical anomalies and differentiate in real-time between power system faults and cyber attacks on digital substations for effective incident response. In this work, we propose a novel image encoding method for event correlation using cyber-physical time-series data, i.e., Phasor Measurement Units (PMUs) and Operational Technology (OT) network traffic. More specifically, we propose a dynamic variation of the Gramian Angular Field method, which generates image streams capturing in real-time the spatial-temporal features in PMU measurements and IEC 61850 GOOSE traffic throughput. The proposed method for cyber-physical event correlation uses an image fusion technique. The method is tested using the benchmark IEEE 9-bus system. It successfully distinguishes between three-phase faults and GOOSE cyber attacks, demonstrating its usefulness for power system cyber security analytics.

Today's critical infrastructure systems are more interconnected and dependent on the electric power grid. This interdependence means that disruptions in one system can have far-reaching consequences across many others. This is particularly evident when a cyberattack in the power grid leads to widespread outages and disrupts essential societal services. To prevent such disasters, it is crucial that proactive actions are taken to secure our power grid control centers and digital substations. This is where digital twins (DTs) play an important role: By creating virtual replicas of cyberphysical assets and processes, DTs allow system operators to anticipate and address potential vulnerabilities in our cybersecurity defenses before they can be exploited. As such, a DT can be considered as a key contributor to safeguard the power system against cyberattacks. This article examines the potential future benefits of DTs in enabling a cybersecure and resilient power grid, explores multiple use cases, and proposes a path forward.

Power grid digitalization introduces new vulnerabilities and cyber security threats. The impact of cyber attacks on power system stability is a topic of growing concern, which is yet to be comprehensively analyzed. Traditional power system stability analysis is based on the impact of non-malicious small, and large physical disturbances. However, cyber attacks introduce a new dimension to power system stability, in which malicious cyber actors can selectively target critical systems and applications and cause severe stability issues. Hence, in this work, the traditional disturbances considered in power system stability classification are expanded from physical to cyber-physical disturbances caused by cyber attacks. Based on a thorough state-of-the-art, an analysis of how cyber attacks can translate into physical disturbances affecting the traditional power system stability categories is performed. The system stability analysis is expanded by mapping the power system stability categories with the defined cyber-physical attack types. The findings of this work showcase the importance of cyber security for power system stability.

Electrical power grids are vulnerable to cyber attacks, as seen in Ukraine in 2015, 2016, and 2022. These cyber attacks are classified as Advanced Persistent Threats (APTs) with potential disastrous consequences such as a total blackout. However, state-of-the-art intrusion detection systems are inadequate for APT detection owing to their stealthy nature and long-lasting persistence. Furthermore, they are ineffective as they focus on individual anomaly instances and overlook the correlation between attack instances. Therefore, this research proposes a novel method for spatio-temporal APT detection and correlation for cyber-physical power systems. It provides online situational awareness for power system operators to pinpoint system-wide anomaly locations in near real-time and preemptively mitigate APTs at an early stage before causing adverse impacts. We propose an Enhanced Graph Convolutional Long Short-Term Memory (EGC-LSTM) by using sequential and neural network filters to improve APT detection, correlation, and prediction. Control center and substation communication traffic is used to determine cyber anomalies using semi-supervised deep packet inspection and software-defined networking. Power grid circuit breaker status is used to determine physical anomalies. Cyber-physical anomalies are correlated in cyber-physical system integration matrix and EGC-LSTM. The EGC-LSTM outperforms existing state-of-the-art spatio-temporal deep learning models, achieving the lowest mean square error.

Cascading failures in power systems are extremely rare occurrences caused by a combination of multiple, low probability events. The looming threat of cyberattacks on power grids, however, may result in unprecedented large-scale cascading failures, leading to a blackout. Therefore, new analysis methods are needed to study such cyber induced phenomena. In this article, we propose a data-driven method for dynamical analysis of power system cascading failures caused by cyberattacks. We provide experimental proof on how attacks may accelerate the cascading failure mechanism, in comparison to historically observed blackouts. Using a dynamic power grid model, consisting of multiple, coordinated protection schemes, we define and analyze the point of no return in a cascading failure sequence by applying the Hilbert-Huang transform for time-frequency analysis. Numerical results indicate, cyberattacks may accelerate cascading failures at least by a factor of 3x. This is due to the excitation and non-damping of multiple frequency modes greater than 1 Hz in a short time span. The proposed method is tested using time domain simulations conducted through a modified IEEE 39-bus test system, which can simulate cascading outages using coordinated protection schemes.

The virtual integration of geographically distributed Research Infrastructures (RIs) for joint experiments in the domain of power and energy systems poses numerous challenges, particularly in terms of tool compatibility and user-friendliness. To address some of these challenges, this work presents the development and implementation of a laboratory-based middleware and data exchange service as part of the H2020 ERIGrid 2.0 project. The middleware comprises a suite of shared software tools and services designed to seamlessly integrate RIs including transport protocols as well as interface semantics. Specifically, this work details the development of a simplified and standardised interface known as the Universal Application Programming Interface (UAPI). It eliminates the need for users to grapple with the diverse intricacies of each individual RI, offering instead a tool-agnostic and standardised interface for conducting joint experiments. The work also presents and discusses the results of a real-world case study of a geographically distributed, sector-coupling experiment conducted between laboratories in Denmark, Greece, Italy, Netherlands, and Norway utilising the developed middleware.

Cyber-physical power systems are susceptible to cyber threats and attacks that can lead to cascading failures and widespread power outages. Therefore, mitigating the impact of such attacks requires the timely implementation of operational strategies to prevent cascading blackouts. One Such strategy is the controlled islanding of the affected power grid, serving as a last resort against the propagation of the cascading outages. In this context, this paper introduces a novel detection-informed operational mitigation strategy, i.e., controlled islanding, against cyberattack-induced cascading failures, addressing 'when' and 'where' to implement controlled islanding. The proposed strategy leverages dynamic cascading failure modeling to quantify the impact of ongoing cyberattacks on power grids, using quantitative metrics such as demand-not-served (DNS). For effective operational mitigation, the strategy initiates controlled islanding when any attack, including fabricated protection trip commands and measurements' replay attacks, are detected, and any operating limits, such as line loading, are violated. It then proceeds to the implementation of controlled islanding, where identified cyberattack-affected elements are effectively surrounded by stable and self-sufficient islanded areas, while minimizing the system DNS. Numerical results on the IEEE 39-bus system demonstrate the effectiveness of the proposed strategy, reducing the DNS value by up to 47% when the controlled islanding strategy is implemented.

This article implements and validates the performance of a virtual intelligent electronic device (vIED) framework for digital substations using a real-time (RT) simulation environment. The work looks toward the future design of protection, automation, and control systems, an evolution of the digital substation design based on IEC 61850 and virtualization technology. An RT simulation setup was developed to speed up and enhance the deployment and maintenance of vIEDs with a novel well-defined test methodology. Several scenarios were tested by varying the number of vIEDs and relevant (communication, scalability, and functionality) configuration criteria. In addition, we assessed the efficiency of a software-defined communication network for the vIED framework and its adaptability to dynamic scaling of the network under transient data traffic loads. The tests demonstrated the efficient performance of vIEDs across various system configurations, particularly for requirements on the response time and network transfer latency. The findings showcase the significance of proper design and testing methodology that can be benchmarked against other virtualization platforms for substation systems.

The cyber attacks in Ukraine in 2015 and 2016 demonstrated the vulnerability of electrical power grids to cyber threats. They highlighted the significance of Operational Technology (OT) communication-based anomaly detection. Many anomaly detection methods are based on real-time traffic monitoring, i.e., Intrusion Detection Systems (IDS) that may produce false positives and degrade the OT communication performance. Security Operations Center (SOC) needs intelligent tools to conduct forensic analysis on generated IDS alarms and identify the attack locations. Therefore, in this paper, we propose a novel, graph-based forensic analysis method for anomaly detection in power systems using OT communication network traffic throughput. It employs a hybrid deep learning model involving Graph Convolutional Long Short-Term Memory and a Convolutional Neural Network. The proposed method aids SOC with continuous OT security monitoring and post-mortem investigations. Results indicate that the proposed method is able to pinpoint the locations of cyber attacks on power grid OT networks with an AUC score above 75%.

Cascading effects in the power grid involve an uncontrolled, successive failure of elements. The root cause of such failures is the combined occurrence of multiple, statistically rare events that may result in a blackout. With increasing digitalisation, power systems are vulnerable to emergent cyber threats. Furthermore, such threats are not statistically limited and can simultaneously occur at multiple locations. In the absence of real-world attack information, however, it is imperative to investigate if and how cyber attacks can cause power system cascading failures. Hence, in this work we present a fundamental analysis of the connection between the cascading failure mechanism and cyber security. We hypothesise and demonstrate how cyber attacks on power grids may cause cascading failures and a blackout. To do so, we perform a systematic survey of major historic blackouts caused by physical disturbances, and examine the cascading failure mechanism. Subsequently, we identify critical cyber-physical factors that can activate and influence it. We then infer and discuss how cyber attack vectors can enable these factors to cause and accelerate cascading failures. A synthetic case-study and software-based simulation results prove our hypothesis. This analysis enables future research into cyber resilience of power grids.